Re: [webauthn] Is there a community for webauthn implementation discussion?

> That seems outside the scope of WebAuthn.

While I agree that the WebAuthn spec should not require anything in regards to key loss, I think that a place to discuss implementation details like this is useful to increasing adoption.

Nothing prevents me from implementing it. But your assumption tells me you agree that adding a reset code feature is recommended? I am impartial to the idea, and am just open to new ideas from other implementations... maybe someone thought of new implications that WebAuthn introduces (considering the fact that it is much broader than the current "norms" of 2FA which is restricted usually to a TOTP based app on a smartphone in most implementations).

ie. UX design around auth will now have to account for "this could be biometrics tied to a device" or "this could be a USB key with NFC on it so it can be used with multiple devices."... So if you activate password-less login and disable password login, and the only device registered is a Yubikey, you can login with any device that accepts input from a Yubikey, but if it's an iPhone TouchID, then that user can only login with one device now... unless we add some way to have the WebAuthn auth from the iPhone allow the user to login on another device through push notifications and native apps on our backend etc.

When designing an auth system using WebAuthn... it feels like 99% of people look at it as a drop in replacement for passwords|TOTP|SMS whatever it may be... but after talking to our designers and UX guys after reading into the spec, it's a lot more complicated than that IMO.

Again, to bring things back in for a moment: Is there a place where people who are implementing are gathering that I might be able to lurk/participate in?

GitHub Notification of comment by junderw
Please view or discuss this issue at using your GitHub account

Received on Sunday, 28 October 2018 14:12:32 UTC